I'm hoping someone can help me with this one.
I have a Fortigate 300 with Internal, External and DMZ/HA ports.
I have 2 servers connected with each other in a Microsoft Cluster Services (MSCS) cluster in the Internal subnet. There are also a number of other non-clustered servers in the subnet.
There are web servers in the DMZ/HA subnet.
When the firewall is configured to allow this (for testing), External traffic can connect successfully to the clustered servers in the Internal subnet. Internal traffic can also connect to these 2 servers.
The problem is that DMZ/HA source traffic cannot connect to the clustered server, even if all DMZ traffic is allowed to connect to Internal. The web servers in DMZ can connect successfully to all other servers in Internal, but still cannot connect to the MSCS cluster.
Machines in the DMZ cannot connect (or even ping) the cluster virtual IP addresses, or the nodes' individual IP addresses.
For temporary testing, the fortigate is configured to not restrict any access between Internal, DMZ and External.
When we had a Fortigate 100A, this was not a problem; everything worked fine.
Does anyone know if there are problems with the Fortigate 300 not allowing any connections between DMZ/HA and Internal when connecting to Windows clustered servers? The Fortigate firmware is at: Fortigate-3002.80,build489,051027